Podcasts
Afternoon Cyber Tea with Ann Johnson
Ep 80
Afternoon Cyber Tea with Ann Johnson 9.5.23
Ep 80 | 9.5.23

The Rise in Social Engineering

Show Notes
Transcript

Ann Johnson: Welcome to "Afternoon Cyber Tear", where we explore the intersection of innovation and cybersecurity. I'm your host, Ann Johnson. From the front lines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. Today, I'm joined by Jenny Radcliffe, better known in some circles as The People Hacker. Jenny is an ethical social engineer, a people hacker hired to smash security measures using psychology, con-artistry, subliminal linguistics, cunning, and guile. Jenny has led simulated cybercriminal attacks on businesses of all types and sizes, running crews with varied expertise and experience to help secure client sites and information for malicious attacks. She is the go-to expert on the human element of security, scams, and social engineering, and is also host of the award winning podcast "The Human Factor". Welcome to "Afternoon Cyber Tea", Jenny.

Jenny Radcliff: Thank you for having me. It's a pleasure to be here.

Ann Johnson: So, Jenny, you have this really fascinating life and career, and I've been looking forward to our conversation for quite a while, and we are going to dig into some specific experiences, the jobs, the cons that you've run. But before we get there, I want to zoom out and give our audience the big picture. You are an ethical hacker, you're a social engineer, and you've helped organizations secure their sites, their information, and their people. But most social engineers don't necessarily have the best intent. There are many that are just playing criminals. So, can you start by talking, you know, a layperson's terms, right, someone who's not a security professional, the description of a social engineer, an ethical hacker, and tell us how you found your way into this interesting career onto the ethical side of hacking and the ethical side of social engineering.

Jenny Radcliff: Yeah. I mean, people hacker is still a hacker, right? And I think people always think of hackers, we use that term interchangeably with criminal a lot of the time. And that's not always the case. As you say, ethical hackers play a huge part in defense. And social engineering is really, it's another kind of misnomer for people, because what it does is it tests security systems without using technology, OK, or rather kind of aligned with technology. So I'm all about working on psychology of what people think and what we can get people to do, what we can persuade, manipulate people to do. And that always sounds very negative. But I always say to people, think of it kind of like a fire test, like a fire drill, sort of a cross between that and a kind of really sort of scummy version of "Ocean's Eleven", where not everyone's quite that good looking. And so, yes, that's what we do. So, I'm hired by organizations and high net worth individuals to attempt to break their security through psychology, essentially through conversation, through sort of human characteristics. And I do that in two ways. I specialize in two things. The first is the script for things like phishing emails, text messages, social media approaches, and all the research behind that. But also, what I'm really known for and what my book was all about was because this is the thing people are interested in, is physical infiltration. So that's when a client wants us to actually get onto that site, get through any security measures that are protecting an actual physical site and use that as a security test, see where the vulnerabilities are. Now, there's no real career path into that. Even now in security, there is still very little formal training, especially on my type of social engineering. So there are people who are social engineers, but it's kind of a side dish to a more technical expertise. But I started out by accident, really. I grew up in kind of quite a testing environment, if you like. It was a time when there was a lot of crime and unemployment where I lived, and I hung out with my family, some cousins of mine. We started out looking at empty buildings near where we lived and did a lot of that. We sort of got into those when I was a kid. And most of that was completely harmless, although I do talk about a few things in the book that wasn't so harmless. But as that grew on, we were asked to do that for people to be paid to do it, to check if we could find a way into their home, or into their workplace, then we could help protect that from people who have malintent. And that's really how it grew. And then, as cyber grew alongside it, we realized that not all infiltrations needed to be physical, but that most jobs are a combination of psychology, online approaches, and physical infiltration work.

Ann Johnson: OK. That's really, really fascinating. And I want to talk more as we go through this about the things you've seen and the experiences you documented in your book. One of the things I also want to talk about is that there's all types of social engineers, right? There was a really interesting Harvard Business case study talking about how the 9/11 attacks in the United States were basically social engineering attacks. And there's romantic social engineers that craft relationship with their targets. Some of these things have even been glamorized, which isn't fantastic when we, in the popular media, make it look like it's something that we should aspire to in some of the things that we've seen in "Tinder Swindler" and "Inventing Anna". But no matter the type of social engineer there is, they all seem to have common foundational motivations. There's go-to strategies. There's certain tactics. Can you talk us through some of those common strategies and tactics that social engineers deploy, and also how you use them in your own work, but also how your average person can recognize and avoid them?

Jenny Radcliff: Yeah. I mean, it's interesting, isn't it? Firstly, I have absolutely nothing but condemnation for kind of making heroes of criminals. I watch programs like "Inventing Anna" and it's a great show. It's interesting. It's entertaining. But we have to be very careful, I think, in popular culture, of making heroes of people who are criminals. And I think we do that quite a lot in society. So I'm just going to say that first off. In terms of the strategies that we use, social engineers, people who are scammers and fraudsters, tend to zoom in on the human characteristics. So I often say at the start of a keynote, we weaponize human emotion, and characteristics, and mistakes. And that's really what happens. So what we would look at doing is looking at what motivates people. What do people care about? What blindsides someone into ignoring procedure, ignoring the rules, going around what they're supposed to do in terms of operations. And the sorts of things that really kind of chime with everyone because they are partly what makes us human are things like ego, emotion, convenience. And those are really kind of what we play to as social engineers. So an example would be if were looking at a job on a physical site. Most sites these days have very specific security guidelines around what entrances and exits people use and under what circumstances, what routes people are allowed to take around buildings and sites. And what we watch for is the people who actually work for the company ignoring those, because they take too long, or because they're in a rush. They want to sort of trade convenience for security. So those are sort of the types of things. I mean, I mentioned ego there. And you asked me to sort of give you some idea of the types of things that we would use. And as I say, I mentioned in my book a little bit, but there's times when ego is the only thing that works. Sometimes, people are cautious about security measures online. They're cautious about what they give away. But we found with one particular client whose team had asked us to test him specifically, that when we said, "Oh, well, we're working for an online magazine and we really want to feature you and take some pictures with you and talk about your work and your charities and your causes," that that's enough to convince that person. So I think really what you're looking at is there isn't a common strategy or tactic. It's just that we all have certain things in common. What we're motivated, what really gets you out of bed every morning or gets you online every morning, that's different for everyone. But everyone has something. And that's really how social engineering works. It's looking for the gaps in routine, the gaps in judgment, and the things that really make people do what someone asks them to do, or do what they feel is the best thing to do, even if that's not in their interest.

Ann Johnson: I think that that urgency and that ego are really important to emphasize to people that if you're being asked to do things, and by the way, I think every day this week I've received a social engineer scam in my email or phishing, phishing/social engineering related to an IRS audit, right, a tax audit. Oh, you need to reply now. And you owe a lot of money, and all of those things, right?

Jenny Radcliff: Yeah. I mean, we have them in the UK this time of year from our IRS, which is called HMRC. And people are quite frightened about being late. And there's a fine if you're late, if it's a genuine contact, there's fines. And people want to do the right thing. So that's a mixture of fear, which is one of the emotions, one of the seven big emotions that we use, but also urgency. And I've spoken many times about red flags. I speak about that all the time whenever I'm interviewed or talking to people or audiences. And I say it's emotional stories, emotional content, something that makes you feel different that takes you out of that kind of flat line of just neutral and takes it up a notch. So maybe it's fear. Oh, you haven't completed this form, or you've got a speeding or a traffic offense, but if you pay it quickly, then this problem kind of goes away or diminishes. And it's that idea of when we get in that emotional state, what the brain often wants to do is act. But it's not necessarily act in the right way. It's just something. There's this call to action. And what social engineers will do is they'll give someone a situation, give you a reason to want to get out of that situation, right? Even if it's hopeful, even in the case of like a romance scammer say, it's things like, "Well, I need to come off this platform and talk to you privately, away from the app, because I'm into you so much and I'm sure this is going to be a deep relationship." So there's like this emotional narrative that goes on, emotional content. There will be a story. And then, what the scammer/social engineer will do is give you the next step. And because people want to move forward, they want to move out of any kind of if it's a negative situation, we want to move out of that situation. If it's a positive situation, we want that to remain or escalate. And so, social engineers will always, always use that kind of tendency for humans to try and hook people. And whether that's phishing or smishing or quishing, which is the QR code version, we have this whole lexicon, don't we, in security, no matter what it is, it's not really the method that you're approached. It's that emotional content story, usually urgent or it's helpful if it's an urgent request. And then, there's that call to action. If you do this, then this will happen. Or more specifically, if you do not do this, then these are the consequences.

Ann Johnson: Yeah. And I failed to mention, my husband, this has been a really long time ago, he received the phone call, like a voice phone call from the "IRS". And he's like, "Honey, I have to go to such and such, and I have to pay." I said, "Do not do any of that."

Jenny Radcliff: Yeah.

Ann Johnson: I said, it's phishing attack.

Jenny Radcliff: Yeah.

Ann Johnson: And you just don't do any of that. So it's really interesting that these actors will give you that. You're going to go to jail is a big motivation for somebody to want to do something to avoid losing their freedom, right?

Jenny Radcliff: Right. Because we react to that as humans. Of course, you do. And they know that. And not everybody realizes, "Hang on, can I verify this? This is something that sounds so awful that I'm acting without considering if it's true for sure."

Ann Johnson: Yeah, exactly. Well, let's change just a little, a slight change of course, and talk about you've done a lot of work breaking the physical security programs of companies. Do you find that the strategies and tactics used in the physical world are the same as the cyber world? And do cybersocial engineers and criminals have a distinctly unique approach?

Jenny Radcliff: No, not on my side of it. Like the tactics are the same. It's still always kind of looking for that human connection, looking to sort of try and exploit what someone would forget. I mean, we look at the system holistically, OK? So it's not that you can actually, in many ways, separate the physical and the cyber when it comes to attack. I think that's something that the security industry do a lot. And from a criminal perspective, and again, I'm ethical, but I wear a criminal hat, we just look at the system holistically. So, for example, I've never been a technical hacker. I have lots of friends who are brilliant hackers, technically, and they've taught me one or two things. But I've never looked at it that way. However, of course, as soon as cyber comes online and systems are relying more and more on technology, we just incorporate that into the mix. I think that it's the same. It's still just looking for a weakness. And bear in mind, if we were to find a weakness in a building and didn't have to engage with a human, we'd still exploit it, right? So you look at a target holistically like a system. If we were to look at that system and find the biggest weaknesses were online, then we go there, right? So it's not about what kind of area of expertise we have necessarily, or what silo we kind of would slot into. It's about the target. And I think the reason that I kind of was so popular in my job and got so much work was because we looked at it that way. I looked at the whole thing and just looked for a chink in that armor. It's just that my expertise was finding the human gap. And as it turns out, that tends to be ever present and one of the sort of vulnerabilities that most firms have and most systems have. But just like a criminal, we'll find any way in, and we'll find the easiest way in. So it doesn't differ necessarily. It's more about looking for a vulnerability, finding a way to exploit it.

Ann Johnson: The interesting thing is I have another friend who does this type of work, and they comment. I mean, they're my age, so a little bit older, right? A little bit more and longer term in career. And they said when they were younger, they would carry around a notepad and a pen and be walking the hallways of buildings looking like they're doing something official, like making notes about things, looking at offices. And people would ask them, "Oh, I'm working on the relocation," or some silly statement. Now, they carry around like an iPad and do the same type of thing, right? They carry around tablet.

Jenny Radcliff: Yeah.

Ann Johnson: And they rarely get asked. They rarely get stopped. People just don't pay attention.

Jenny Radcliff: Well, if you look busy and you don't seem to be an immediate threat, and that's very colored by cultural images, and rules, and a lot of which is very questionable, but if you kind of look official, you look busy, you don't look like a threat to whatever that person perceives a threat to be, what you have to understand, this is where the kind of sociology of it comes in, is that most people just want to get on with their day, right? They're busy. They've got their own stuff to deal with. And the last thing they need is to just interrupt somebody who doesn't seem like they're causing a problem anyway. Now, that's not always true in every culture, but it's true in a lot of work cultures and business culture. I'm not surely what happens, and I've relied on that exact thing that he's saying so many times. It's just there's someone who's obviously busy. They've got something to do. They're not sort of causing a problem that I can see. I'm just going to carry on and get on with my day. I'm going to get my coffee, get back to my desk, and carry on with whatever task I've got to finish. That reliance on this isn't my problem is very dangerous. That's part of what we need to kind of get into people's heads is it's OK to ask. Because just like online with, say, someone pretending to be a bank, the real bank doesn't care if you ask 10 times about security because they want that, right? But a scammer is going to care. And I do care if someone stops me and starts talking to me too much. Obviously, I'm skilled at that conversation management by now. But I don't want to be in conversation with someone if I cannot be, right?

Ann Johnson: Yeah. It's a good tip for people too. If someone starts asking you a lot of questions and they continue to ask, someone you don't know, right, and they're just approaching you and asking you questions, you have no obligation to answer, and you should probably start asking your own questions back.

Jenny Radcliff: Yeah. I mean, this is one of the things that I talk about in romance scams. You mentioned "The Tinder Swindler". And I hate the term romance, and I hate the term scams because they've kind of minimized the impact of these things. But we know what we mean. But that's what you're trying to do. And one of the things I say to people is if you have a conversation and you find that you are speaking 80% of the time, and that person is speaking kind of 20% of the time, and you're giving away a lot of information and kind of being prompted to give more information about yourself, if you were talking about you the entire time, you need to kind of just raise your caution level up a little bit, because normal, natural conversation doesn't always go that way. And it's about that awareness of the way people operate that, A, needs to be noted by all of us in terms of security culture, but B, is what social engineers and criminals rely on. We want the target to talk, right? Because just like your friend with the notepad or the iPad, everything is being logged and noted, if not for use in that conversation, but for the future, which is very sinister, I realize.

Ann Johnson: It sounds very sinister, but I don't think that people realize how much is happening around them. To your point, everyone's just trying to get through their day. That's human nature, right? You're just trying to get through your day. And I know you have confidentiality agreements, so let's talk at a general level, but you've led some incredible social engineering and hacking jobs against some really well sophisticated and well-funded programs. Can you tell us anything about some of the more interesting jobs you've done? And I'd love to hear about some of the surprises you found along the way. Were these programs that were allegedly sophisticated, easier to break than you first thought they would be?

Jenny Radcliff: There's a lot of sort of in that. Let's unpack it a little bit. So every job is interesting in my job. I'm a paid burglar, right? So there's no such thing as a regular day. They're all interesting in different ways. And it's so funny because I do a lot of interviews. And you've said the word interesting. So that lets me pick my most sort of interesting jobs. But I'm always being asked, what was the most dangerous? Was there anything that took you by surprise, I suppose? A standard job would be that I would have a small crew with me of specialists. So sometimes, it's just me, a driver, and the office backing me up, OK? And I will be inside a building or trying to get inside a building with whatever kind of pretext we've decided on. And then, once I'm in that building, all our research, we do a lot of OSINT, or open-source intelligence. We do a lot of surveillance so that I have an idea of what's normal in that building. And then, you go in and you meet people. And I think it was Mike Tyson who said, we all have a plan till we're punched in the face, right? And then you meet a person, and everything sometimes changes. And actually, it's a key skill in social engineering to be able to adapt tactically to whatever happens. So there's no such thing as a standard day. I'm always in an office without permission, or in a building without permission, or in some situation without permission. And that's never anything other than interesting. But, I mean, to your question specifically, I thought I looked at this and I was thinking, "What can I tell you about?" So I'll tell you about two jobs. One time, I had a crew, and we were asked to test a big mall over here in the UK. So we call it a shopping center. You guys call it a mall, right? And we've done so much research, Ann. Honestly, we'd looked at it for a long time. Huge, huge site. To give you an idea of how big this place is. We knew that at any given point, there was at least 50 security staff. That's 50 on site, right? So all the different restaurant, shops, cinemas, all this type of thing. So we'd really looked into the routines, the traffic, the tech, the entry points. I had a team of six. So some sort of students who were there just to kind of be decoys and distractions and things. And then, there was a core team of me and a technical specialist. We had specific uniforms on for pretext. We had a specific story. And we had backup plans. We go on the site. We know where the office is, which is our main target, their kind of sock, their secure area. Walk in, the doors open, nobody's there, nobody's in the office, nobody's anywhere. Walk in, get what we were asked to get without any incident at all. So we had passes, they worked. Everything worked. And my whole team was devastated because I say, "OK, that's finished. Now, we exit," right? And especially the students were kind of like, "But we really want to practice. We want to talk to people and be our characters." And they wanted obstacles, and there wasn't any. And I always say that job first, because we just walk out and that's it. It's finished in like 20 minutes. We're done, even though there should have been massive amounts of interference and we should have needed our plans. And it was done. I say that one because then it shows you how the next one can go so wrong, because things don't go to plan always. We got a job and it was in an amusement park. I'm not sure if in the States that's what you call it.

Ann Johnson: We do.

Jenny Radcliff: We do kind of you call it.

Ann Johnson: Yeah.

Jenny Radcliff: Right.

Ann Johnson: Yeah.

Jenny Radcliff: And what had happened with them is they had been a target. They'd been threatened to life on this park. They'd been threatened with, I mean, terrorist activity, really. I mean, that's the best way of putting it. They knew they were a target. They were a target. And had been identified as such, not just by what had been sent to them, but also by our kind of law enforcement, intelligence services as this is going to be a target. And so, they'd done a lot of tests, but they asked me to go along with my crew. And we did go. And so, you can imagine it's nighttime. It's an amusement park, which is eerie and spooky anyway. And it's cold and it's horrible. And I'm there. And I didn't have a big team with me this time because it should be straightforward, right? There's no one on site. We can get over fences. We can get through gates. It's really just a case of us documenting what is on site. But we go in, we walk around. Roller coasters, everything's all kind of stopped in the middle of the night. And I sort of lost track of the rest of the crew. And my team was kind of all over the place just because it was so big and we weren't really needing to stay in too much communication on the ground because, I mean, there was no one there, except there was people there. So the guys had all run off, and they were doing their thing, and we were ready to kind of abort. I look at my phone. My phone's out of charge. And that never happens, right? My phone is always charged. I always have water, and I always have my phone fully charged. But it's out of charge for whatever reason. Can't get the phone to go. And then, I hear the gate. And what I hear, and I'm not going to say the exact words, but I hear the guard give the command to dogs to go and find someone, right? So now, I know that there are at least two security guards that they definitely know that we're on site, that someone is on site, and they've got guard dogs running around this fairground. I am not a fan of doing jobs where there are guard dogs involved. In fact, I charge you about 10% more if you've got guard dogs going to chase me. And it was a case of what you do. And I thought, well, there's only one thing I can do. And I had to hide. And I hid inside what we call a ghost train, right? You guys call it a ghost train. I hid inside the little booth where you go and you pay to go on the ride. And then, the dogs are running around. And I moved from there into the actual ghost train. And those type of places, if we go on during the day or with your friends and family, whatever, it's kind of funny. It's a bit cheesy, isn't it? You've got skeletons, like Halloween. It's like going into a store at Halloween. But I tell you, when you're on your own at night and there's dog, it's a lot less funny. And they didn't find me, but they nearly found me. And I was lying there for a very long time looking at like plastic skeletons and stuff like that. So, yeah, there's a lot goes on, I guess. So that was interesting.

Ann Johnson: I can't even imagine. I would not be a fan of doing a job. I mean, I have four rescue pups, by the way, but I would not be a fan of doing a job.

Jenny Radcliff: I love dogs.

Ann Johnson: No, I know. Doing a job where there's guard dogs, I mean, because they're trained in a very specific way. So, congratulations for having the bravery to do that. I don't think I would do it.

Jenny Radcliff: Well, I didn't want to do it. You're in it, aren't you? By the time it happens, by the time you kind of realize what's going on, it's too late is the problem. And we had not scoped that there'd be dog. Well, I say that. We knew that they used them, but this is a pen test, right? This is a penetration test, and the dog should not be part of that, right? But they are.

Ann Johnson: Yeah.

Jenny Radcliff: And so, quickly realized that whatever parameters we'd agree with the client had not been translated through. That's probably the best way of putting it. But I love dogs. It's just I don't like the guard dogs going to bite me. But I'll tell you something.

Ann Johnson: No.

Jenny Radcliff: So after that, I have a contact who was former military. And I was telling him about this. And he said, "You know what you need to do?" He said, "There's a way that you can stop that." And he told me how to train a guard dog, right? So he said, I'm going to train you like as if you're a guard dog. I'm going to tell you all the commands. I'm going to tell you how it works, how we train them, and I'm going to give you some secrets. And he gave me some secrets as to the command to stop. And he told me to always take some dog biscuits and a tennis ball. And honestly, it shouldn't work every time. He didn't say to rely on it, but it works enough times that I always have those on me if there's even the slimmest chance that I'm going to be chased by a guard dog. I was very grateful to him for giving me those tips, because, you see, that frightens me more than half the situations I'm in normally, right? And you say interesting, like it's funny when I look back and I think of how awful some of those, because these are skeletons in a ghost train,

Ann Johnson: Yeah.

Jenny Radcliff: Right? It's plastic. It's got a wig on. It wasn't Disneyland or something where you'd expect everything to be amazing, the best sort of theme park in the world. It was a little local kind of theme park. So it was cheesy. But nothing's cheesy at night, right? Everything kind of changes in those circumstances.

Ann Johnson: Yeah. No. Well, it becomes more scary. But let's talk about culture for a minute. You talk a lot about the culture. Microsoft, we talk about our culture of security, right, and how we need to fortify security programs, whether they're physical security programs or cybersecurity programs. I'd love your perspective on how to build a security culture and what are common characteristics of organizations that have done it really well.

Jenny Radcliff: Yeah. I mean, again, I try and reduce these things to the simplest terms. And the organizations that do this well do a couple of things. One of the things that they do is that they give people lots of ways to access learning, right? So one of the things that really annoys me at this moment is the fact that in the awareness space, a lot of companies talk about gamification, and how great gamification is, and that it replaces boring PowerPoints or something. And gamification can be great, right, for certain people. Certain people, if you gamify something like phishing awareness, then certain people will love that, and to the point where they're obsessed with it, and they work with one company, and they had to stop employees playing this phishing game because they weren't getting the work done type of thing. Some people love that. Other people hate that, right? And a lot of people in the security industry are not neurotypical. I'm around a lot of neuroatypical people, if you like. And the competition element of it, the noise of it, the distraction doesn't suit them. So, the companies that are successful allow people to learn in a variety of ways. Some people like a PowerPoint. Do you know what I mean? Some people actually like to read an article. Oh my goodness, can you imagine? Imagine having the attention span to read a white paper. But I have clients who are legal or financial CEOs, directors, VPs. They're not going to play a game involving phishing emails, clicking on a little fish that says, "Oh, I'm a phishing email." Do you know what I mean? You've got to give people lots of different ways to access the information. And you have to do it regularly, and you have to do it repeatedly, right? And the way to stop people being bored of that is to give them lots of different routes to the learning. Even without a big budget, you can do that. You just need to be imaginative. So that's the first thing. The second thing that's really important in culture is that culture has got to come from everyone. And to do that, we need to hand the conversation back to people who do not do security every day as part of their job. If we, as security people, keep telling people what they should do, keep telling them what is good for them, then it always is separate to how they live, if you like. What we need to do is explain to people what the risks are. Tell them a little bit about how they can protect themselves. Make it easy for them to do the right thing, OK? Because if you make it difficult, just like when I speak about physical premises, if you make it difficult and cumbersome to take the secure route, then everyone will find the way around it. It's kind of human nature. We solve the problem. We satisfy our immediate need. So we make it easy for them to do the right thing. But more importantly, the conversation goes back to the rest of the team. And the thing is, if security cannot be made interesting, there is almost no hope, because security should be, to people who are not in it, fairly exciting, right? Because we're in an industry with villains, and plots, and cyberspace, and weaponization, and a million things, and money, and technology. We can't afford to let that be boring. And the way to stop it is to say to people who are not in the industry, this week, whatever meeting you have, it's your job to come and tell us a one minute security story, something that you found. Maybe something on the news, maybe you've had a phishing attempt, maybe you've had the IRS phish. And that person's nominated to just talk about it, just say, you know, I got this email, thought that it was fine, and then my partner said it wasn't. Or, I got this email and I thought that's definitely a phish. And anyway, it wasn't. Why did I think that? You have to hand this conversation back to people. If you don't, we are always preaching, and people will eventually just hear white noise. So make it exciting, make it accessible, make it easy, and hand it back. That's what I always say.

Ann Johnson: I think those are really, really great tips. And the thing about not talking in our security vernacular, making it accessible, and also knowing your audience, right? I'm also one of those people who's not going to play a gamified experience, but I will read a white paper.

Jenny Radcliff: Yeah, exactly. Me too.

Ann Johnson: Because that's part of my job. Yeah.

Jenny Radcliff: Well, I don't mind gamification, but yeah, yeah.

Ann Johnson: We've talked a lot about individuals and things to look out for. But do you have any other tips before we move into our typical close? Anything else for people as an individual, not necessarily a company, that they should be looking out for?

Jenny Radcliff: Just out of context things. I always say, emotion, urgency, call to action, money. But really, the thing is, if you're being asked to do something that's just not usual, especially if it's emotional, especially if it's about money, or getting around procedure, just be more suspicious. And this is a horrible thing because people say, "Oh, but it's awful that we have to be suspicious. You sound paranoid." But it kind of takes some of the enjoyment out of life. And the truth is, we need to be honest with people. Yes, it does. It does stop us all enjoying life. If scammers and social engineers, malicious social engineers, and criminals were not present, the world would be a much happier, more harmonious place. But I'm sick and tired of this industry being so afraid of frightening people that we stop being direct. Treat them like grownups.

Ann Johnson: Yeah.

Jenny Radcliff: And say, "If something feels off, check it before you click." And that does mean, unfortunately, that we've got to be more suspicious than we'd like. That is reality. That is the life. There's a lot of things there to help. There's a technology and people trying to help you. But the bottom line is we do need to be more suspicious.

Ann Johnson: So I agree, by the way, and I think we need to stop sugarcoating it, and we need to, to your point, treat people like they are adults. Let's get to the point. We're getting close to wrapping up, and I've loved having you on. We could talk for hours. But I know you're super busy. You have a lot going on with your ethical hacking, you have a podcast, you have a TV host, et cetera. So can you share a little bit of some of the stuff you're working on right now?

Jenny Radcliff: Sure. So, my book, "People Hacker", is not yet available in the US. It will be soon. It's come out. It's done very well in the UK. It's a memoir. So it's a collection of stories about how I got into the job and some of the jobs I did. So some of them are funny, some are dangerous, different sectors, different circumstances. If you're in security and interested in social engineering, I hope that you would like that book. That book was also picked up by, well, Hollywood. I feel silly saying that, but it was. And that's going to be made into a major TV show in the near future. That's not just picked up and optioned. It's going to be made into a TV show. But also, I'm working with TV show here in the UK. So we have a morning show in the know, daytime TV thing, and it's called "This Morning". And I work on that show most weeks. And what's wonderful, Ann, about it is I have five minutes usually to give quick five security tips to an audience of people who don't get them a lot of the time. And one week, it'll be about property scams, or motor scams, or something like that, and the next week, it'll be about something else. Recently, I was in the studio with famous people in and out of other offices and rooms all around you. And I was there because there was a group of Taylor Swift super fans who I believe are called Swifties, and they were trying to buy tickets for a concert that Taylor Swift has given in the UK. And I was there to help them do that safely and securely. So you can imagine it's absolutely chaotic. I'm used to these very serious security situations, this type of interview in our industry. And instead I'm on live television to a million people and more sort of saying, "OK, don't give your financial details out. Don't let them persuade you. Don't buy a sob story." And then, they'll be like, "That's fine. Thank you, Jenny." And now, over to the chef who's going to tell you about the best use of pasta this week. So it's kind of like the most crazy, strange environment. And it's weird because I get recognized on the train and in airports and things now. But people normally say, "Thank you for the advice. I didn't know that." And I think that's one of the most gratifying things that I work on is that just people in the street who really don't know about this, they don't know what a VPN is, or anything about passwords or anything, are just getting that five minutes of me hectically shouting as much information as I can every Monday. And I never thought that would happen to me, and I'm sure it won't last. But while it does, I'm very happy.

Ann Johnson: Well, and you're doing a service and helping. And that brings me to optimism, right? I'm always optimistic because I do believe, as cyber defenders, for everything we see in the news, there's 1,000 attacks we stop. What are you optimistic about in the future of defense of our digital world?

Jenny Radcliff: I tell you, right, I find it hard to be optimistic sometimes. I see so much misery and so many scams. And on the serious side of what I do, the side that I don't talk that much about, sometimes, it's beyond miserable. What makes me optimistic is the people coming into the industry is young people. Because when you give a talk to a group of school kids, which I do quite often, or you give a talk to students at college, or you meet someone young just coming into the industry, or even someone who's more senior, who's changing jobs, I was speaking to a lady in her 60s earlier today, who's just decided to get into cybersecurity. That's what makes me optimistic, because they have fresh eyes, and they're determined to fight on the side of the angels. And because there is an unending supply of people prepared to do that, that's what makes me optimistic. The only way that we ever win is by being optimistic and not letting those criminals and malicious people get us all down and stop us fighting back. So that makes me optimistic endlessly.

Ann Johnson: That's incredible. I love that perspective. Jenny, this has been a wonderful conversation. Thank you so much for making the time to join me today.

Jenny Radcliff: It's been my pleasure, Ann.

Ann Johnson: And many thanks to our audience for listening. Join us next time on "Afternoon Cyber Tea". [ Music ] I invited Jenny Radcliffe to join me because she has such a fascinating and breadth career across social engineering, and ethical hacking, and breaking into organizations. Really great tips for both organizations and individuals on how to recognize, spot, and not respond to a social engineering attack. It's a fantastic episode, and I look forward to everyone listening to it. [ Music ]

Afternoon Cyber Tea with Ann Johnson
Podcast Info
HOST(S):
Ann Johnson
Ann Johnson, CVP of Security, Compliance and Identity at Microsoft, oversees the long-term security investment and partnership strategies helping organizations become operationally resilient and unlock capabilities of Microsoft's intelligent cloud and next generation AI. From the way we tackle cyber threats to the language we use, Ann encourages the industry to get outside its comfort zones to expand how we address the evolving threat landscape.
Schedule: Tuesdays
Credits: Executive Producer is Bruce Bracken, Co-Executive Producer is Greg Ormsby, Producer is Rob Petrillo. Production Manager is Max Solomon, Scheduling and Administrative Support is Annalisa McBride, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft